Fix for TLS v1.3 key log examples (#273)

tls/README.md

@@ -1198,19 +1198,22 @@ See the `client-tls-cryptocb.c` example for demonstrating the `--enable-cryptocb
 
 Build wolfSSL with `HAVE_SECRET_CALLBACK` included:
 
-```
+```sh
 ./configure --enable-tls13 CFLAGS="-DHAVE_SECRET_CALLBACK" && make && sudo make install
 ```
 
 In wolfssl-examples/tls:
-```
+
+```sh
 make clean && make
 ./server-tls13 &
 ./client-tls13 127.0.0.1
+
+# Execute client-tls13 again with the message "shutdown" in order to end the execution of the server.
 ```
 
 Wireshark can decode traffic using the created "sslkeylog.log". To configure in Wireshark Prferences go to Protocols -> TLS. In the "(Pre)-Master-Secret log filename" choose the "sslkeylog.log" file in this directory.
-Capture TLS traffic and all packets will be decrypted (handshake and application data).
+Capture TLS traffic and all packets will be decrypted (handshake and application data). To see application data decrypted you may have to right-click on packet click "Follow" -> "TLS Stream".
 
 
 ## TLS over UART Example

tls/client-tls13.c

@@ -34,6 +34,7 @@
 #include <wolfssl/options.h>
 #include <wolfssl/ssl.h>
 #include <wolfssl/wolfio.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
 
 #define DEFAULT_PORT 11111
 
@@ -52,7 +53,7 @@ static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret
     int i;
     const char* str = NULL;
     unsigned char clientRandom[32];
-    size_t clientRandomSz;
+    int clientRandomSz;
     XFILE fp = stderr;
     if (ctx) {
         fp = XFOPEN((const char*)ctx, "ab");
@@ -61,9 +62,18 @@ static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret
         }
     }
 
-    clientRandomSz = wolfSSL_get_client_random(ssl, clientRandom,
+    clientRandomSz = (int)wolfSSL_get_client_random(ssl, clientRandom,
         sizeof(clientRandom));
 
+    if (clientRandomSz <= 0) {
+        printf("Error getting client random %d\n", clientRandomSz);
+    }
+
+#if 0
+    printf("TLS Client Secret CB: Rand %d, Secret %d\n",
+        clientRandomSz, secretSz);
+#endif
+
     switch (id) {
         case CLIENT_EARLY_TRAFFIC_SECRET:
             str = "CLIENT_EARLY_TRAFFIC_SECRET"; break;
@@ -82,7 +92,7 @@ static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret
     }
 
     fprintf(fp, "%s ", str);
-    for (i = 0; i < (int)clientRandomSz; i++) {
+    for (i = 0; i < clientRandomSz; i++) {
         fprintf(fp, "%02x", clientRandom[i]);
     }
     fprintf(fp, " ");
@@ -182,6 +192,9 @@ int main(int argc, char** argv)
     }
 
 #ifdef HAVE_SECRET_CALLBACK
+    /* required for getting random used */
+    wolfSSL_KeepArrays(ssl);
+
     /* optional logging for wireshark */
     wolfSSL_set_tls13_secret_cb(ssl, Tls13SecretCallback,
         (void*)WOLFSSL_SSLKEYLOGFILE_OUTPUT);
@@ -193,6 +206,10 @@ int main(int argc, char** argv)
         goto exit;
     }
 
+#ifdef HAVE_SECRET_CALLBACK
+    wolfSSL_FreeArrays(ssl);
+#endif
+
     /* Get a message for the server from stdin */
     printf("Message for server: ");
     memset(buff, 0, sizeof(buff));

tls/server-tls13.c

@@ -30,16 +30,23 @@
 #include <netinet/in.h>
 #include <unistd.h>
 
+#define HAVE_SIGNAL
+#ifdef HAVE_SIGNAL
+#include <signal.h>        /* signal */
+#endif
+
 /* wolfSSL */
 #include <wolfssl/options.h>
 #include <wolfssl/ssl.h>
 #include <wolfssl/wolfio.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
 
 #define DEFAULT_PORT 11111
 
 #define CERT_FILE "../certs/server-cert.pem"
 #define KEY_FILE  "../certs/server-key.pem"
 
+
 #if defined(WOLFSSL_TLS13) && defined(HAVE_SECRET_CALLBACK)
 
 #ifndef WOLFSSL_SSLKEYLOGFILE_OUTPUT
@@ -53,7 +60,7 @@ static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret
     int i;
     const char* str = NULL;
     unsigned char serverRandom[32];
-    size_t serverRandomSz;
+    int serverRandomSz;
     XFILE fp = stderr;
     if (ctx) {
         fp = XFOPEN((const char*)ctx, "ab");
@@ -62,9 +69,18 @@ static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret
         }
     }
 
-    serverRandomSz = wolfSSL_get_server_random(ssl, serverRandom,
+    serverRandomSz = (int)wolfSSL_get_server_random(ssl, serverRandom,
         sizeof(serverRandom));
 
+    if (serverRandomSz <= 0) {
+        printf("Error getting server random %d\n", serverRandomSz);
+    }
+
+#if 0
+    printf("TLS Server Secret CB: Rand %d, Secret %d\n",
+        serverRandomSz, secretSz);
+#endif
+
     switch (id) {
         case CLIENT_EARLY_TRAFFIC_SECRET:
             str = "CLIENT_EARLY_TRAFFIC_SECRET"; break;
@@ -100,31 +116,53 @@ static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret
 }
 #endif /* WOLFSSL_TLS13 && HAVE_SECRET_CALLBACK */
 
+static int mSockfd = SOCKET_INVALID;
+static int mConnd = SOCKET_INVALID;
+static int mShutdown = 0;
+
+#ifdef HAVE_SIGNAL
+static void sig_handler(const int sig)
+{
+    fprintf(stderr, "SIGINT handled = %d.\n", sig);
+
+    mShutdown = 1;
+    if (mConnd != SOCKET_INVALID) {
+        close(mConnd);           /* Close the connection to the client   */
+        mConnd = SOCKET_INVALID;
+    }
+    if (mSockfd != SOCKET_INVALID) {
+        close(mSockfd);          /* Close the socket listening for clients   */
+        mSockfd = SOCKET_INVALID;
+    }
+}
+#endif
+
 int main(int argc, char** argv)
 {
     int ret = 0;
 #ifdef WOLFSSL_TLS13
-    int                sockfd = SOCKET_INVALID;
-    int                connd = SOCKET_INVALID;
     struct sockaddr_in servAddr;
     struct sockaddr_in clientAddr;
     socklen_t          size = sizeof(clientAddr);
     char               buff[256];
     size_t             len;
-    int                shutdown = 0;
     const char*        reply = "I hear ya fa shizzle!\n";
 
     /* declare wolfSSL objects */
     WOLFSSL_CTX* ctx = NULL;
     WOLFSSL*     ssl = NULL;
 
+#ifdef HAVE_SIGNAL
+    signal(SIGINT, sig_handler);
+#endif
+
     /* Initialize wolfSSL */
     wolfSSL_Init();
 
     /* Create a socket that uses an internet IPv4 address,
      * Sets the socket to be stream based (TCP),
      * 0 means choose the default protocol. */
-    if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
+    if ((mSockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
         fprintf(stderr, "ERROR: failed to create the socket\n");
         goto exit;
     }
@@ -163,24 +201,23 @@ int main(int argc, char** argv)
 
 
     /* Bind the server socket to our port */
-    if (bind(sockfd, (struct sockaddr*)&servAddr, sizeof(servAddr)) == -1) {
+    if (bind(mSockfd, (struct sockaddr*)&servAddr, sizeof(servAddr)) == -1) {
         fprintf(stderr, "ERROR: failed to bind\n");
         goto exit;
     }
 
     /* Listen for a new connection, allow 5 pending connections */
-    if (listen(sockfd, 5) == -1) {
+    if (listen(mSockfd, 5) == -1) {
         fprintf(stderr, "ERROR: failed to listen\n");
         goto exit;
     }
 
-
-    /* Continue to accept clients until shutdown is issued */
-    while (!shutdown) {
+    /* Continue to accept clients until mShutdown is issued */
+    while (!mShutdown) {
         printf("Waiting for a connection...\n");
 
         /* Accept client connections */
-        if ((connd = accept(sockfd, (struct sockaddr*)&clientAddr, &size))
+        if ((mConnd = accept(mSockfd, (struct sockaddr*)&clientAddr, &size))
             == -1) {
             fprintf(stderr, "ERROR: failed to accept the connection\n\n");
             ret = -1; goto exit;
@@ -193,9 +230,12 @@ int main(int argc, char** argv)
         }
 
         /* Attach wolfSSL to the socket */
-        wolfSSL_set_fd(ssl, connd);
+        wolfSSL_set_fd(ssl, mConnd);
 
     #ifdef HAVE_SECRET_CALLBACK
+        /* required for getting random used */
+        wolfSSL_KeepArrays(ssl);
+
         /* optional logging for wireshark */
         wolfSSL_set_tls13_secret_cb(ssl, Tls13SecretCallback,
             (void*)WOLFSSL_SSLKEYLOGFILE_OUTPUT);
@@ -210,6 +250,10 @@ int main(int argc, char** argv)
 
         printf("Client connected successfully\n");
 
+    #ifdef HAVE_SECRET_CALLBACK
+        wolfSSL_FreeArrays(ssl);
+    #endif
+
         /* Read the client data into our buff array */
         memset(buff, 0, sizeof(buff));
         if ((ret = wolfSSL_read(ssl, buff, sizeof(buff)-1)) < 0) {
@@ -223,7 +267,7 @@ int main(int argc, char** argv)
         /* Check for server shutdown command */
         if (strncmp(buff, "shutdown", 8) == 0) {
             printf("Shutdown command issued!\n");
-            shutdown = 1;
+            mShutdown = 1;
         }
 
         /* Write our reply into buff */
@@ -238,13 +282,14 @@ int main(int argc, char** argv)
         }
 
         /* Cleanup after this connection */
+        wolfSSL_shutdown(ssl);
         if (ssl) {
             wolfSSL_free(ssl);      /* Free the wolfSSL object              */
             ssl = NULL;
         }
-        if (connd != SOCKET_INVALID) {
-            close(connd);           /* Close the connection to the client   */
-            connd = SOCKET_INVALID;
+        if (mConnd != SOCKET_INVALID) {
+            close(mConnd);           /* Close the connection to the client   */
+            mConnd = SOCKET_INVALID;
         }
     }
 
@@ -254,10 +299,14 @@ exit:
     /* Cleanup and return */
     if (ssl)
         wolfSSL_free(ssl);      /* Free the wolfSSL object              */
-    if (connd != SOCKET_INVALID)
-        close(connd);           /* Close the connection to the client   */
-    if (sockfd != SOCKET_INVALID)
-        close(sockfd);          /* Close the socket listening for clients   */
+    if (mConnd != SOCKET_INVALID) {
+        close(mConnd);           /* Close the connection to the client   */
+        mConnd = SOCKET_INVALID;
+    }
+    if (mSockfd != SOCKET_INVALID) {
+        close(mSockfd);          /* Close the socket listening for clients   */
+        mSockfd = SOCKET_INVALID;
+    }
     if (ctx)
         wolfSSL_CTX_free(ctx);  /* Free the wolfSSL context object          */
     wolfSSL_Cleanup();          /* Cleanup the wolfSSL environment          */